Analysis Overview
SHA256
c7e75e49e6ce4ba7f1325c826df12099205f492943ea41c5c89879f30d0d0ef2
Threat Level: Known bad
The file 2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
xmrig
Cobaltstrike
UPX dump on OEP (original entry point)
Xmrig family
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-07 01:16
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 01:15
Reported
2024-06-07 01:18
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NcNUaxg.exe | N/A |
| N/A | N/A | C:\Windows\System\YFXxtem.exe | N/A |
| N/A | N/A | C:\Windows\System\xbIuwfj.exe | N/A |
| N/A | N/A | C:\Windows\System\nQNuJbo.exe | N/A |
| N/A | N/A | C:\Windows\System\eGTYFJu.exe | N/A |
| N/A | N/A | C:\Windows\System\TrnxrST.exe | N/A |
| N/A | N/A | C:\Windows\System\Phqcknz.exe | N/A |
| N/A | N/A | C:\Windows\System\JgxMPKy.exe | N/A |
| N/A | N/A | C:\Windows\System\bMhLOJO.exe | N/A |
| N/A | N/A | C:\Windows\System\nttDhBt.exe | N/A |
| N/A | N/A | C:\Windows\System\qQpbixQ.exe | N/A |
| N/A | N/A | C:\Windows\System\QlmAqjL.exe | N/A |
| N/A | N/A | C:\Windows\System\fYJyErh.exe | N/A |
| N/A | N/A | C:\Windows\System\bVmoqax.exe | N/A |
| N/A | N/A | C:\Windows\System\mhSSQnS.exe | N/A |
| N/A | N/A | C:\Windows\System\nJXlHjA.exe | N/A |
| N/A | N/A | C:\Windows\System\zSCupId.exe | N/A |
| N/A | N/A | C:\Windows\System\ibNaHRp.exe | N/A |
| N/A | N/A | C:\Windows\System\bKHmSWv.exe | N/A |
| N/A | N/A | C:\Windows\System\ZNlmqwk.exe | N/A |
| N/A | N/A | C:\Windows\System\vUKhewg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\NcNUaxg.exe
C:\Windows\System\NcNUaxg.exe
C:\Windows\System\YFXxtem.exe
C:\Windows\System\YFXxtem.exe
C:\Windows\System\xbIuwfj.exe
C:\Windows\System\xbIuwfj.exe
C:\Windows\System\nQNuJbo.exe
C:\Windows\System\nQNuJbo.exe
C:\Windows\System\eGTYFJu.exe
C:\Windows\System\eGTYFJu.exe
C:\Windows\System\TrnxrST.exe
C:\Windows\System\TrnxrST.exe
C:\Windows\System\Phqcknz.exe
C:\Windows\System\Phqcknz.exe
C:\Windows\System\JgxMPKy.exe
C:\Windows\System\JgxMPKy.exe
C:\Windows\System\bMhLOJO.exe
C:\Windows\System\bMhLOJO.exe
C:\Windows\System\nttDhBt.exe
C:\Windows\System\nttDhBt.exe
C:\Windows\System\qQpbixQ.exe
C:\Windows\System\qQpbixQ.exe
C:\Windows\System\QlmAqjL.exe
C:\Windows\System\QlmAqjL.exe
C:\Windows\System\fYJyErh.exe
C:\Windows\System\fYJyErh.exe
C:\Windows\System\bVmoqax.exe
C:\Windows\System\bVmoqax.exe
C:\Windows\System\mhSSQnS.exe
C:\Windows\System\mhSSQnS.exe
C:\Windows\System\nJXlHjA.exe
C:\Windows\System\nJXlHjA.exe
C:\Windows\System\zSCupId.exe
C:\Windows\System\zSCupId.exe
C:\Windows\System\ibNaHRp.exe
C:\Windows\System\ibNaHRp.exe
C:\Windows\System\bKHmSWv.exe
C:\Windows\System\bKHmSWv.exe
C:\Windows\System\ZNlmqwk.exe
C:\Windows\System\ZNlmqwk.exe
C:\Windows\System\vUKhewg.exe
C:\Windows\System\vUKhewg.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4592 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| BE | 2.17.107.98:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 98.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2204-0-0x00007FF6159E0000-0x00007FF615D34000-memory.dmp
memory/2204-1-0x000001C5771D0000-0x000001C5771E0000-memory.dmp
C:\Windows\System\NcNUaxg.exe
| MD5 | 682d9bfa2cf17bc3863ca78c9a5485d2 |
| SHA1 | 714aa31d5f2b8b1c2c0abf42876c76fc803d0f02 |
| SHA256 | b7943820c5f9f112b8aecdedfb2cea72fc54ac7f68b27ffd866dee33248b25f8 |
| SHA512 | 8d3859801f3283c820f8267a8e1cb0b4fd194260d1d9b5e03102a0b393b919840adea088544be8fe06356fa0b37f6c8e449a88a1662068b5046cb0281e313836 |
memory/2996-8-0x00007FF641620000-0x00007FF641974000-memory.dmp
C:\Windows\System\YFXxtem.exe
| MD5 | 9022d259f131f966aeb180532616e878 |
| SHA1 | d71d74ad68a8bc78022efc3d8ba90a7ccf56f252 |
| SHA256 | f923b0ea32c8e30590d89c94daa296e1be30afa8a01e564fc20d54e847dc24a8 |
| SHA512 | 23ce4746997e7ed3b66d09180093a9d304634c316a23f805003b8f2ef50b8272352f2fe1fb146365fac09a8b6e5dcc7993a62e76a3480e88d7fa2ab87690952c |
memory/1260-14-0x00007FF67B1E0000-0x00007FF67B534000-memory.dmp
C:\Windows\System\xbIuwfj.exe
| MD5 | 5e3c1c44eeaf0a234bfd932b352b8a82 |
| SHA1 | 53404a534f7d691d869705d9b2e34c13d90f9bf2 |
| SHA256 | 8b012b8f81fb711fd354725b9864181709bff6e3f30b0a9ccfd4e398eb715c80 |
| SHA512 | 127876f9fed1d346f7428584ccdf4698b8b90d831ed4e221cec075c0d5e636e9227578d4fcce10298d4e1e724d08995d6e205dc1c575ab33e1040ff52fa3bfcc |
memory/1360-20-0x00007FF702F10000-0x00007FF703264000-memory.dmp
C:\Windows\System\nQNuJbo.exe
| MD5 | e27b1bd88330f848ff603d5831461175 |
| SHA1 | 5ca934f50e46589be53fd468a8bec763b178d467 |
| SHA256 | 0e3ec72772d6fa7a0646273b95929a7a1a34eb3e9de06e6b8f0be438d4b0c050 |
| SHA512 | b578fe1e7a0279ff85996a95e55ea0a43ab3e73f358295c7dded57fa733eab788330d0e3824d29f21f6a62955aa219a2557e148cb379266ac8d4b3849a67c028 |
memory/4140-30-0x00007FF7EA270000-0x00007FF7EA5C4000-memory.dmp
C:\Windows\System\eGTYFJu.exe
| MD5 | 609c6cd78eb28215a896143da952753a |
| SHA1 | b08702a22c1dfa4e852dcf5722f1f1f598b8ce16 |
| SHA256 | eb841194c5586627885e07c57ef33cff7c5153e1ef23787186728d1a1db675c2 |
| SHA512 | 9cf5f317d9fd6641d585bd943720d261ec5c94ec925c64609025cdbcce6c6f8b2e158841bf03b2e8df0e50f01fbfd305e684c9835a6fc0b9be2860940b892c8b |
memory/1420-24-0x00007FF642F90000-0x00007FF6432E4000-memory.dmp
C:\Windows\System\TrnxrST.exe
| MD5 | 9ce62272e904d938e9b1ab52047b7bed |
| SHA1 | de720a95c519dcc91d4a02c6db9b37f62262ee2c |
| SHA256 | 79bca4257c29962c9874b923b89a5a285718452b849e5e8492e4e49677cb9e72 |
| SHA512 | 047fb0b5efc6adefcb01282833b0e34853652a1c5659011bbec2a909d23352be8a0044b996c829f4c70612ef2d7ed120ac30e98552277c9ba7c96eb8a0b580a0 |
C:\Windows\System\Phqcknz.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/3876-40-0x00007FF62FF50000-0x00007FF6302A4000-memory.dmp
memory/2844-39-0x00007FF6D3AD0000-0x00007FF6D3E24000-memory.dmp
C:\Windows\System\Phqcknz.exe
| MD5 | 77dba91fb3c2cde72cb349d9f90ca79c |
| SHA1 | b84a9e63676a0ad38ca01ffd44702e7c9744ca69 |
| SHA256 | ed264866c0bae9fa9d4a16e9bcbd3d21ee672ee0eb5b22b64a5a0fa3926ac6d7 |
| SHA512 | 7688eeb8dd7644b0c13094022c2cf5cb3e8225b2176f2a6c3aa2c5fffd3842d1f2840ab41b990e0e98d17fd029498949a429fd63ec10fb6afac0d993f6b2e67c |
C:\Windows\System\JgxMPKy.exe
| MD5 | dee06d50b85e0adbb81c826f01393706 |
| SHA1 | a2089d2a102ccd63e564d7242009bbfbb057966a |
| SHA256 | fe6829f336b2a462dafc00c59dbde1e5dc937e75a9648b11ca6238cf981cddeb |
| SHA512 | f4f2e65ffaec8b96f0d5104442f8cfba63c920dc762ef932430d6a73df9ae6eceb12051e3d50cebf33e0a398f756dabaa836fe4276eb9c7e172582dd45117d3f |
memory/1220-48-0x00007FF6CE400000-0x00007FF6CE754000-memory.dmp
C:\Windows\System\bMhLOJO.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
C:\Windows\System\bMhLOJO.exe
| MD5 | 90a4690536f61f808cdff28f40c8d1e1 |
| SHA1 | cb625ea686b2a7df3f1a5cd20c5b66ac2ea0c334 |
| SHA256 | 2943994b0fb447066264ab603c5a5419c9f5dec85d3d5cb5301468a058263250 |
| SHA512 | 595b639d216ba7e16b61287c1fe4f2bf03878af722b289433e2de078b3345e4d3b0bd651d2027774246e33832a21b42687ca5334380e4e0597d04393e368db06 |
C:\Windows\System\nttDhBt.exe
| MD5 | 542e3838428bc1dab5c5b1311e6a64a8 |
| SHA1 | 626c0f29c4043b2b324639aade2ca33c5b4ea25e |
| SHA256 | 843f2ed5321c4686686af30027ce1830054d4dd5e404be2b4731af8043a16e4b |
| SHA512 | 6b4d8f7d176b4382761b0dad5e950badc4e4a8c4fbafa6fc1b15a97f6ea41d53d3dde77fc6ed5659b0d8372c5f0ddef6e06f59f81ba4d2b9c65009728caacadc |
memory/2204-61-0x00007FF6159E0000-0x00007FF615D34000-memory.dmp
C:\Windows\System\qQpbixQ.exe
| MD5 | 24c799f31d37f20e6a45c663fbd4bc7f |
| SHA1 | 0cdada5f4e38dff8963b02508333bebaf72858f2 |
| SHA256 | 9b0d3f5d7d20a63ff0fb7eea26a84e1630e8c1550a003b6a57d0854bb738b4a1 |
| SHA512 | 93ba72472259ae15d57cc8534988af6fcce1cab4d83bab2dbd800ddee22cad65dbc1b640eaba9e228c09188817384fa879907fc4404254b2a1c4aecaad44644c |
memory/4288-64-0x00007FF7C6D80000-0x00007FF7C70D4000-memory.dmp
memory/2656-56-0x00007FF63F6C0000-0x00007FF63FA14000-memory.dmp
C:\Windows\System\QlmAqjL.exe
| MD5 | e57318a63971361a76a0a00d9b4ea356 |
| SHA1 | bcbb1d386880cdb0c47dbb78c72c9e0c7b42af3f |
| SHA256 | 26bb691ef68c214044385a52a6635445b6438fd9de6b112687eefbe01cac5fcc |
| SHA512 | 6888e5c051cd3f80c98da0a2943314be2dd98c855fc187b93f67188d909ba52c1ebfe577beea983c76a7a5ebbfebd0ad630b623d5fc90c3d3a0f5c4f02fea787 |
C:\Windows\System\fYJyErh.exe
| MD5 | 92dc21b361752419e6944ac5c8abc595 |
| SHA1 | 7181951bddbed2aff92587e9e876b1f55eda0f92 |
| SHA256 | b8df1882bd0627671ce8c9369326fc8c01cd62394659eb8861bb632c603944a4 |
| SHA512 | fed79a0e3522eee9785a584c043d6726b2dea4086f3f819f081520836dee43de8729dcda39969cbf33595127099bea127d5dd024e587b97524f618b59f5f1ebd |
C:\Windows\System\mhSSQnS.exe
| MD5 | 57aa48d8406671d0dcb7c9379e86902d |
| SHA1 | a3393915b790f3d46d5f4f0ee1765b1851a89067 |
| SHA256 | edba9c49f2618bc2613feccac26fe6d9275be87468e868ba1dbbedb8142820f4 |
| SHA512 | 650ba3fd40bf4ae1edd26670d310bb37fe65ec957228c14605577aa7280f5cde3844305b3c44eaa3522116094007f8c760e23a977afeac979fa55e7a4e592c9d |
C:\Windows\System\nJXlHjA.exe
| MD5 | 79b8ed996143e47c4d663690f2e02df2 |
| SHA1 | bb5ece110f91c853b61537d4379241e05fa197f9 |
| SHA256 | 204f50135dd3542de480a34086f76dc1412dc0dca3b7950d3c41d21dc390b28f |
| SHA512 | fa41037c4af41479df1c9770312fbf3ee5f5f6a691d400f8d6b85cf8964deb3910319c693c0063403c56e62c87c12ae62ac5a0f3a4926b0b4679db71abf02085 |
C:\Windows\System\bKHmSWv.exe
| MD5 | e31c581003e51523ef8cd76a84783dc2 |
| SHA1 | ecf4a6ca2861b7aeff73f9a776969bc4be912382 |
| SHA256 | 69b15f7d15aacc6f29671c5a318c5c563db20a1b80a606f911f4a94741be7319 |
| SHA512 | 75c9a26817d2b36ceb1759147fd4b1e5d06c5c9bcf76971ca453c7dc62a29bb067102cededf204d641b4d4e09e478458d96164be8842cb56cc0f6eb259de91cc |
C:\Windows\System\bKHmSWv.exe
| MD5 | e8c4508a392ccf08590d3627a36cc3c3 |
| SHA1 | 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2 |
| SHA256 | cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d |
| SHA512 | f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410 |
C:\Windows\System\vUKhewg.exe
| MD5 | 39e0b48602867ba7a27259b41e502711 |
| SHA1 | 2f5f932002a96d3516884f572deb44a213792601 |
| SHA256 | d17cd61ffe37d78fd2b29b96e1c45ec2f3e57ad4c634f55474932229eb1dac3c |
| SHA512 | d4bd0ad2169cefad8271031a22ec7f54ea99c2d7d6bd97ade92aea5c1e8060a0e1344f5be0daacd02add2f320a2988e5aae130008312f6c44075ad1ae20ae50d |
C:\Windows\System\ZNlmqwk.exe
| MD5 | 46cef478b7258c8fedd6e4c8110b10ed |
| SHA1 | 425d93655f35af25a5187a10036b4d3779d97f7d |
| SHA256 | affd811a828cfe87059a63716187acd3e7a2864ef7d13829c4645fee918039dd |
| SHA512 | 28fe0449b8a6cab5216d505b7b65b144b19519b573d322893130e12a17672079c2816fc760bc31ad52a7127a5a2273f3d32354e17f2228c77ee0b9fea9781673 |
C:\Windows\System\ibNaHRp.exe
| MD5 | 340992a7237dc521f419e3733452a17e |
| SHA1 | 928110cb51f67d90406b7785809ef282a747a514 |
| SHA256 | f15129a60de0c6e61092fd67d235db992807e02235487b180d74638c9e9592ea |
| SHA512 | cb114b6aaa2ccdcf6e7c221832ef4537a1cc68880a90aeda26faef234c8cbd96f66939aaabce99246f7a915b7f0a2fed901a8443afbd629c13bb1759c9bc37d1 |
C:\Windows\System\zSCupId.exe
| MD5 | cf313fd3567660358188c59a0a20f444 |
| SHA1 | 8632dac699892a62b347b390d451e31b8da6b7a2 |
| SHA256 | bdabd7afb3def616db7c79fd00c9940f52ea72dbe1ae83556070f60b0a8d097d |
| SHA512 | 76a5fac08caae91c1e4e9ec14c5cbac879cb012a5fb81ef0d12af0f3e9364b89a2676846187a24e57ea761fed334c621fb13cb54ad0b9ba008e40042d35f58b1 |
C:\Windows\System\bVmoqax.exe
| MD5 | 42392c99db77f9e2b1b77943876acc96 |
| SHA1 | 6e3d690eb2b4987a43047d9c6aaf0b8ff703968a |
| SHA256 | fb22aec338479d5a72173cfa3358659080bb225f575c580438bbf1beae2a660f |
| SHA512 | 961075aa266abd7b91ced28cc1ac3a770e01aee71a2faca3bfdc0a52c30734be616a16fd5830473776fa54ff599db8801b587fc29addd608d36cf9702c8e4914 |
C:\Windows\System\QlmAqjL.exe
| MD5 | 2130f4461ba7262c4b9569c7ad362fbe |
| SHA1 | 477f7cc69e47cdff19a52b2da61a04f2127580e1 |
| SHA256 | f68cab9e215b5970b95a91cba35e4b211ac827a19d524f2bf913504bdbf08025 |
| SHA512 | bd19fb9a7b432908f39c8e2a25f78223abf0f155bd219827a4b513d256827c60c965e975a97433d8f252d3353383a04a3ae742b841c52e2f210a05922493b703 |
memory/2644-120-0x00007FF7E8920000-0x00007FF7E8C74000-memory.dmp
memory/3144-119-0x00007FF799330000-0x00007FF799684000-memory.dmp
memory/4752-122-0x00007FF7A56D0000-0x00007FF7A5A24000-memory.dmp
memory/4092-123-0x00007FF7EE5F0000-0x00007FF7EE944000-memory.dmp
memory/4236-125-0x00007FF7EE5D0000-0x00007FF7EE924000-memory.dmp
memory/3068-124-0x00007FF7738E0000-0x00007FF773C34000-memory.dmp
memory/684-121-0x00007FF75F450000-0x00007FF75F7A4000-memory.dmp
memory/1872-118-0x00007FF63E430000-0x00007FF63E784000-memory.dmp
memory/1356-126-0x00007FF6FA990000-0x00007FF6FACE4000-memory.dmp
memory/1848-127-0x00007FF7348E0000-0x00007FF734C34000-memory.dmp
memory/2180-128-0x00007FF7CDB00000-0x00007FF7CDE54000-memory.dmp
memory/1260-129-0x00007FF67B1E0000-0x00007FF67B534000-memory.dmp
memory/1360-130-0x00007FF702F10000-0x00007FF703264000-memory.dmp
memory/1420-131-0x00007FF642F90000-0x00007FF6432E4000-memory.dmp
memory/2844-133-0x00007FF6D3AD0000-0x00007FF6D3E24000-memory.dmp
memory/4140-132-0x00007FF7EA270000-0x00007FF7EA5C4000-memory.dmp
memory/3876-134-0x00007FF62FF50000-0x00007FF6302A4000-memory.dmp
memory/1220-135-0x00007FF6CE400000-0x00007FF6CE754000-memory.dmp
memory/2996-136-0x00007FF641620000-0x00007FF641974000-memory.dmp
memory/1260-137-0x00007FF67B1E0000-0x00007FF67B534000-memory.dmp
memory/1360-138-0x00007FF702F10000-0x00007FF703264000-memory.dmp
memory/1420-139-0x00007FF642F90000-0x00007FF6432E4000-memory.dmp
memory/4140-140-0x00007FF7EA270000-0x00007FF7EA5C4000-memory.dmp
memory/2844-142-0x00007FF6D3AD0000-0x00007FF6D3E24000-memory.dmp
memory/3876-141-0x00007FF62FF50000-0x00007FF6302A4000-memory.dmp
memory/1220-143-0x00007FF6CE400000-0x00007FF6CE754000-memory.dmp
memory/2656-144-0x00007FF63F6C0000-0x00007FF63FA14000-memory.dmp
memory/4288-145-0x00007FF7C6D80000-0x00007FF7C70D4000-memory.dmp
memory/1872-146-0x00007FF63E430000-0x00007FF63E784000-memory.dmp
memory/3144-147-0x00007FF799330000-0x00007FF799684000-memory.dmp
memory/2644-148-0x00007FF7E8920000-0x00007FF7E8C74000-memory.dmp
memory/684-149-0x00007FF75F450000-0x00007FF75F7A4000-memory.dmp
memory/4752-150-0x00007FF7A56D0000-0x00007FF7A5A24000-memory.dmp
memory/4092-151-0x00007FF7EE5F0000-0x00007FF7EE944000-memory.dmp
memory/3068-152-0x00007FF7738E0000-0x00007FF773C34000-memory.dmp
memory/4236-153-0x00007FF7EE5D0000-0x00007FF7EE924000-memory.dmp
memory/1356-154-0x00007FF6FA990000-0x00007FF6FACE4000-memory.dmp
memory/1848-156-0x00007FF7348E0000-0x00007FF734C34000-memory.dmp
memory/2180-155-0x00007FF7CDB00000-0x00007FF7CDE54000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 01:15
Reported
2024-06-07 01:18
Platform
win7-20240215-en
Max time kernel
132s
Max time network
142s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KAtpHeo.exe | N/A |
| N/A | N/A | C:\Windows\System\EWdpqvx.exe | N/A |
| N/A | N/A | C:\Windows\System\OkhPnVg.exe | N/A |
| N/A | N/A | C:\Windows\System\FRbjozv.exe | N/A |
| N/A | N/A | C:\Windows\System\OfWdjbz.exe | N/A |
| N/A | N/A | C:\Windows\System\QhIJdkH.exe | N/A |
| N/A | N/A | C:\Windows\System\FEtsAGq.exe | N/A |
| N/A | N/A | C:\Windows\System\rYMQKHV.exe | N/A |
| N/A | N/A | C:\Windows\System\ZcpwirM.exe | N/A |
| N/A | N/A | C:\Windows\System\TKcmYxQ.exe | N/A |
| N/A | N/A | C:\Windows\System\MxJKnKV.exe | N/A |
| N/A | N/A | C:\Windows\System\QLqSKBV.exe | N/A |
| N/A | N/A | C:\Windows\System\ZPteklv.exe | N/A |
| N/A | N/A | C:\Windows\System\GHhJkCb.exe | N/A |
| N/A | N/A | C:\Windows\System\nIpcUZi.exe | N/A |
| N/A | N/A | C:\Windows\System\WlihAIF.exe | N/A |
| N/A | N/A | C:\Windows\System\iJpKTfy.exe | N/A |
| N/A | N/A | C:\Windows\System\lfiTzsk.exe | N/A |
| N/A | N/A | C:\Windows\System\pdHZUwe.exe | N/A |
| N/A | N/A | C:\Windows\System\KVDItAf.exe | N/A |
| N/A | N/A | C:\Windows\System\jbCSXlQ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KAtpHeo.exe
C:\Windows\System\KAtpHeo.exe
C:\Windows\System\EWdpqvx.exe
C:\Windows\System\EWdpqvx.exe
C:\Windows\System\OkhPnVg.exe
C:\Windows\System\OkhPnVg.exe
C:\Windows\System\FRbjozv.exe
C:\Windows\System\FRbjozv.exe
C:\Windows\System\OfWdjbz.exe
C:\Windows\System\OfWdjbz.exe
C:\Windows\System\QhIJdkH.exe
C:\Windows\System\QhIJdkH.exe
C:\Windows\System\FEtsAGq.exe
C:\Windows\System\FEtsAGq.exe
C:\Windows\System\rYMQKHV.exe
C:\Windows\System\rYMQKHV.exe
C:\Windows\System\ZcpwirM.exe
C:\Windows\System\ZcpwirM.exe
C:\Windows\System\TKcmYxQ.exe
C:\Windows\System\TKcmYxQ.exe
C:\Windows\System\MxJKnKV.exe
C:\Windows\System\MxJKnKV.exe
C:\Windows\System\QLqSKBV.exe
C:\Windows\System\QLqSKBV.exe
C:\Windows\System\ZPteklv.exe
C:\Windows\System\ZPteklv.exe
C:\Windows\System\GHhJkCb.exe
C:\Windows\System\GHhJkCb.exe
C:\Windows\System\nIpcUZi.exe
C:\Windows\System\nIpcUZi.exe
C:\Windows\System\WlihAIF.exe
C:\Windows\System\WlihAIF.exe
C:\Windows\System\iJpKTfy.exe
C:\Windows\System\iJpKTfy.exe
C:\Windows\System\lfiTzsk.exe
C:\Windows\System\lfiTzsk.exe
C:\Windows\System\pdHZUwe.exe
C:\Windows\System\pdHZUwe.exe
C:\Windows\System\KVDItAf.exe
C:\Windows\System\KVDItAf.exe
C:\Windows\System\jbCSXlQ.exe
C:\Windows\System\jbCSXlQ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1656-0-0x000000013F190000-0x000000013F4E4000-memory.dmp
\Windows\system\KAtpHeo.exe
| MD5 | 137b4632c6fa6caa35bb8488c1383ff6 |
| SHA1 | d2c1314aec40c9b823727b1930db8991328c2dcb |
| SHA256 | fa1a78144209618632d04624cc310934555ed0840752e2ad123c1f543bd13530 |
| SHA512 | 192d7a788782f879c5db1b8108fb9225dcfd0ff6806a762cfd27096071e4677e54a44b9359682abf2698a4de1d6052c91c38ea46ae57459b1d463f487386347f |
memory/1656-14-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/1840-20-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/1656-29-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\FEtsAGq.exe
| MD5 | 5e166a59485363ca202f374973ce1f0b |
| SHA1 | 2f50543166302dbdd4afa683b775713b34a7d61e |
| SHA256 | deb2bc30f9f51b1dac1327460b91a5ff21e5e5eea248b8ddfca074bf8dc7a080 |
| SHA512 | d3d46915fc28ae6834b736cb1eddf2b9ea58f3289d931612ca0eb652c8fe14eef13ec62b65cbf4cfd7179ffb9b2cc2a526b85ff417d34610c38285e8a2e4b72c |
memory/2512-50-0x000000013FEE0000-0x0000000140234000-memory.dmp
C:\Windows\system\TKcmYxQ.exe
| MD5 | dfa6bead5a2341ff46d65afde31f7e7e |
| SHA1 | 63ab3236e432490090d230ec05fe321a1e453a5a |
| SHA256 | 377f3c6d4020dfee545d6a935972f9b4cf9130592b2871e63a6d567cbd1b0901 |
| SHA512 | 8bef533a9179c14940759d132574871da934df051a76c11f0f8bdb54af1ea3b65262e796b2771303d328810168030a6fe1014a0fcf14bdda27e3a6576c798e30 |
C:\Windows\system\QLqSKBV.exe
| MD5 | c3c877e2f8476dec54976a1321cb398f |
| SHA1 | 92719110d29946a35e4ec95d26c220102c5651c2 |
| SHA256 | fa210c9d3b2949606ee60c0d1a7156c618f6dd6ded2ac79ca621fdf27ff4879f |
| SHA512 | 9a71f028f0dd998540c5385e45b7ede8ff875fba820f8442d488ac44781e9cd117ff1f50819b2ab94d6efa2e0dfe15efeb8460ae653de06015d83213d5489e95 |
C:\Windows\system\nIpcUZi.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\system\lfiTzsk.exe
| MD5 | a7a14d49bc953262bedafd5c43a10886 |
| SHA1 | 2195a99a107bb5bc22b21f3eb179e47c675e12e2 |
| SHA256 | 196bc905f03a30d27975db95f62d1a7b9497d6decfb51ba49a2811f1f798130a |
| SHA512 | 7136aaa2959cb15e46f2560698aedde1e24034ff721844bb78f7aa8c481b68812ea2c996999adb06567f312fce810a44dca658f2813634d171274f7dfe9cb0b8 |
C:\Windows\system\jbCSXlQ.exe
| MD5 | 0145c9755d81d30fb4ec1d1c480d34de |
| SHA1 | e2ad7efcfa86686ecf4fb4e0087a5f06f4b146fc |
| SHA256 | 4192d38f23a04597761b2e44ffe415dcfe5b66aad334fd2c5772e540f87b687f |
| SHA512 | 4cb156bdbf96215b8b6f49156d7b6bc6e223fecdfbe7e2eaec8d8a2de9903bb2026e7f512664e26ee5a6a17a2ce246a89a7e6499aca79f5b6612bb220cd06315 |
memory/1656-123-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2144-125-0x000000013F510000-0x000000013F864000-memory.dmp
memory/624-126-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2464-127-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/1896-128-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/3000-124-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2372-121-0x000000013F880000-0x000000013FBD4000-memory.dmp
\Windows\system\KVDItAf.exe
| MD5 | 362c3329786a74328a5d1e78b09bc0b8 |
| SHA1 | 3968cae0e292942e273d4a3a84e5a16bbc10d181 |
| SHA256 | d87527856f6240ec171bd3673b42039bd4caaf1375a45be4f983fb699befa552 |
| SHA512 | 0ace033f4ebfa89b30c0f817bae16f04e19da43f27ce89f50ff30e170af5963bb1e6fb50b9dc987ec7e18d4faabbee2e82f7add3a90a87964478e21918a4b2eb |
memory/1656-111-0x00000000023B0000-0x0000000002704000-memory.dmp
C:\Windows\system\pdHZUwe.exe
| MD5 | 5442355d3b216d81a246f0b8be5361d5 |
| SHA1 | 5dd01cefc17606714e9478472f7b2cdb8eee451e |
| SHA256 | e52b689f2c61f5001745b9c516d51da6895db5e56e3d4dddac9fea574f6241ee |
| SHA512 | 34e22078cfc8aaa779314cccbda7ccce03acf053505ca20cb75594ed4ee76c438cf8660ef2d02f8e86783520ec28c1228e2e809927999ddd944c951db326f574 |
memory/1656-100-0x00000000023B0000-0x0000000002704000-memory.dmp
\Windows\system\iJpKTfy.exe
| MD5 | 73c151880ed88ecab9096522ae8b9c1c |
| SHA1 | c352378dbf5f40137fb4c743d9e39d5c9fe5987a |
| SHA256 | 6703b0bcf27335a01d128768154e4fc56883f437a02b65b8e325097715c7843f |
| SHA512 | ae02004cfc22515c5293b285806caaa922c61257c7560ba5d6aa038d0c0b1c9ad529a62d16f27098b383721bc4c417125f65715001dc3bb5a203e83db585bfb5 |
C:\Windows\system\WlihAIF.exe
| MD5 | 7df404d523b7047f2b691638f3ad9bec |
| SHA1 | d89d6e9c0429ef069e2564d991b731ea24ac2da0 |
| SHA256 | 9e67955f4c98317fde08450c206087b22fac1ce345aad2c349c97cd5f2a61c23 |
| SHA512 | a395ce34dd1d1ca9b2e363ab2281b8b03a77432052685368476cf41466b33ca74f565f906c9e597ea6e84b6efb3487a6d8c0db336b0300441e3be70ac8129a99 |
memory/1656-91-0x000000013FEE0000-0x0000000140234000-memory.dmp
C:\Windows\system\ZPteklv.exe
| MD5 | 5f9fc3313ad8239691b5deecaf5c7caa |
| SHA1 | f859e76b11c0f82c331b49fb953f4223658accc0 |
| SHA256 | 253ccaa5858618b11b13a0bb7cf60447e5d4a6c5df63c11b2cfc180de46f5566 |
| SHA512 | c8999aeae22e61eb633522d7898efe60314ee5769679e54a6f6c673c5708f9c1b5010146e376da428412f35c224e77c330fa208a7eb2305c30163d83828db85a |
\Windows\system\nIpcUZi.exe
| MD5 | f71f6b9a4943aac9340b0550039d814e |
| SHA1 | 9ec331b991f992b6cd9dd035d75a4232c94da1a8 |
| SHA256 | 2798a5f324061c8f6f1fa67507c597da0cad9429201198fb58a66487b0d60d4d |
| SHA512 | ba6edb70c22dc5ec284650e087ad81e122fb0c58442c4f1bb2def846e8bbef0279ca375c69447e3856018c0de19b1f8de3b9827c82768a0c8513daf62833408b |
memory/2500-83-0x000000013F690000-0x000000013F9E4000-memory.dmp
C:\Windows\system\GHhJkCb.exe
| MD5 | 5f20e56c7ef0190c0b2d69f24e511f69 |
| SHA1 | b8843f8b067d5f26d54424864da9b48a808c2017 |
| SHA256 | 71fe72ea0a932e0c18ef2161ec021e38d06c64bbf3cd469fd0837440808a21bb |
| SHA512 | 7b185ac768dfef90858f931765b38d5b67c41206656ce139124c5678239c04fdbacf3494550ee6c393c11ff736a05f11f213929da5aef16e0ced9a252b9f34a1 |
C:\Windows\system\MxJKnKV.exe
| MD5 | 32d1e8edb0e7e320435c9c9ed9824f50 |
| SHA1 | 9d762eb606fabf0900103c15c4ac5769bf027565 |
| SHA256 | 57b7fd80f8e8478bcafc38f2497d74ef4630cb32961902aa641a4da4637c6020 |
| SHA512 | 0ab003f3061e46cfe045e37e2a9418619c23d3cea14565be48ac4abe5c6125ab7897d0580814a92a4ff0cbea15a9ae2dbdb2b9175a5c7cd7f4f91bb4f221b826 |
memory/2576-64-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2480-57-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\ZcpwirM.exe
| MD5 | a15d767e6587df8cd0df8abe1d6d45e2 |
| SHA1 | 14aedde34fc1d543911e73e0bdc579fdbca5b38d |
| SHA256 | 8bb00d2133b63fdbbd8a1b8fae195a2c9c625a0ef388671a766eccfd6c368b13 |
| SHA512 | 6d9dba883d77bcf6df3fd9c6245a764c8b100e7e5c5b0b1e9effbe5459d0239970652d1b5d33d1037fb654298f1ae1efbe45af7b2f90028c025e2ae0bc09cefb |
memory/2376-51-0x000000013F070000-0x000000013F3C4000-memory.dmp
C:\Windows\system\rYMQKHV.exe
| MD5 | f24007af2490958ca58417311f0f6505 |
| SHA1 | cee2d5c286f1056d260b1cc9e50bc9bf5b3483b5 |
| SHA256 | b18d8563f4027e0fe7e552149f41dd90bd34663e016ee0aa673387de4c73b997 |
| SHA512 | c1ec2eeb6268ad0098f012ca6fdfa5a55230aea4391a4740031454e0fc9121d9c1d04be8e77cd5009b21aa56c7009c10b42abb80ec7fe92b131375a104c84843 |
memory/2640-44-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/1656-38-0x000000013F690000-0x000000013F9E4000-memory.dmp
C:\Windows\system\OfWdjbz.exe
| MD5 | c0c5f12ecc1c5f06f62a0dca13ed393a |
| SHA1 | e297a05aaa58e350b18f1a89b58ef5c0fde56c83 |
| SHA256 | 9b21e10cffd7b09a212abd7cc6b00e4ef42b5aa806810bcdf972fc2b85716a53 |
| SHA512 | 6e7db730973cb7940f0ade24744257fdfea7692c0664ae46dc90eeb87c498dda96ca0b578c56fcef32b13c9cc5f3b30aa8912a75ed507dd8333d607a4b00992c |
\Windows\system\QhIJdkH.exe
| MD5 | b83358d59fda2bca38a1912fb7db243c |
| SHA1 | 52e255396c86d9b7a68274bacf6734978c947b63 |
| SHA256 | 414f71d922b5f261500c5d61c8a6c906f0df11d3f00bd6b5928ec72ad9795401 |
| SHA512 | f062d92080640d93dad95ec46cbce12279feef44d83763e723c62bdde457db52b71b255d548e00bc288601b58580bb97f61b2a4451e4af9db8c496d554aeba21 |
C:\Windows\system\FRbjozv.exe
| MD5 | c5619678c383f56ff96f811ea02ce442 |
| SHA1 | 93740a0aea711ddd1aaab6f790b286a8e47b965b |
| SHA256 | 562fd4fc5a7adb7f9fcb3ab7ac3fc22715f3d32936c1b020ccdaf1cdc51199e5 |
| SHA512 | c9b145277ee959b4b09ca2c17b7be17b75401e0402a2b5a8ed73b3737cddb0f6f74939450a21cdc70db097613452c3232443745653beca8f020a6a15af020854 |
memory/3056-22-0x000000013FF80000-0x00000001402D4000-memory.dmp
\Windows\system\OkhPnVg.exe
| MD5 | 9ca825b8f7279fc2035131bca7a9067c |
| SHA1 | d90dd3271e210e495c6cedd7d89fca61f1e1a140 |
| SHA256 | 5c69badf547d49c04c705aa31f303a9b67e7862d3823ca1a68af663beb892cbe |
| SHA512 | 9c2e14d72418fb205baf0f3c8d8af8134429f2d3f8e52e09fb9bf8a424d66be76844076dd1bf009d31658261d26122fd45caa1d7d2b2f436db8ed867edde86ed |
memory/1656-10-0x000000013F8E0000-0x000000013FC34000-memory.dmp
C:\Windows\system\EWdpqvx.exe
| MD5 | f21ae6a4daead6d94060e066bb9e75a7 |
| SHA1 | 4c8d3b48d69dc216b901f6db85e86a87ea279129 |
| SHA256 | 32018fefd55c99af293ae64ec847005dfe53ffdad2fd07b98cc32c0112820fd7 |
| SHA512 | e08371aa191f6287b8bf03b99e0206817e53de51bf9ec0dde1d8e6dc0f57995cd65324de19c7bcd04a13f7cc1cacc5e01d17270ea0080988ba79106951009dae |
memory/1656-1-0x0000000000080000-0x0000000000090000-memory.dmp
memory/1656-129-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/1656-130-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1656-131-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/1656-132-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2480-135-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2376-140-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/624-146-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2144-145-0x000000013F510000-0x000000013F864000-memory.dmp
memory/3000-144-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/1896-143-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2372-142-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2464-141-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2512-139-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2640-138-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2500-137-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2576-136-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/3056-134-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/1840-133-0x000000013F8E0000-0x000000013FC34000-memory.dmp